]]>connect-or-cut : Prevent connections to blocked addresses in COMMAND.http://seclist.us/connect-or-cut-prevent-connections-to-blocked-addresses-in-command.html
Fri, 25 Aug 2017 02:30:56 +0000http://seclist.us/?p=15272What it is?
connect-or-cut is a small library to interpose with LD_PRELOAD to a program to prevent it from connecting where it should not.

This is similar to a firewall, except that:
– you do not need to be root to use it
– only processes launched after LD_PRELOAD is set are affected, not the full system

You can use connect-or-cut to:
+ Sandbox an untrusted application to prevent all ourgoing connections from it
+ Monitor where an application is connecting to understand how it works
+ Filter out advertising sites during your web navigation

]]>Hostsblock – An ad- and malware-blocking script for Linux.http://seclist.us/hostsblock-an-ad-and-malware-blocking-script-for-linux.html
Fri, 04 Aug 2017 01:53:55 +0000http://seclist.us/?p=15098Hostsblock is a bash script designed to take advantage of /etc/hosts file to provide system-wide blocking of internet advertisements, malicious domains, trackers, and other undesirable content.
To do so, it downloads a configurable set of blocklists and processes their entries into a single /etc/hosts file.Hostsblock also acts as a command-line utility that allows you to block and unblock certain websites and any other domains contained in that website.

hostsblock Version 0.999.6 (Alpha 6) (03.08.2017)

Features
– NEW: Enhanced security – Runs as an unpriviledged user instead of root.
– System-wide blocking – All non-proxied connections use the HOSTS file (Proxied connections can be modified to use the HOSTS file)
– Compression-friendly – Can download and process zip- and 7zip-compressed files automatically. (Provided that unzip and p7zip are installed)
– Non-interactive – Can be run as a periodic cronjob or systemd timer without needing user interaction.
– Extensive configurability – Allows for custom black & white listing, redirection, post-processing scripting, etc.
– Bandwith-efficient – Only downloads blocklists that have been changed, using http compression when available.
– Resource-efficient – Only processes blocklists when changes are registered, uses minimal pipes.
– High performance blocking – Only when using dns caching and pseudo-server daemons.
– Redirection capability – Enchances security by combating DNS cache poisoning.
– Extensive choice of blocklists included – Allowing the user to choose how much or how little is blocked/redirected.

]]>OpenSnitch is a GNU/Linux port of the Little Snitch application firewall.http://seclist.us/opensnitch-is-a-gnulinux-port-of-the-little-snitch-application-firewall.html
Sun, 11 Jun 2017 22:59:29 +0000http://seclist.us/?p=14445How Does It Work:OpenSnitch is an application level firewall, meaning then while running, it will detect and alert the user for every outgoing connection applications he’s running are creating. This can be extremely effective to detect and block unwanted connections on your system that might be caused by a security breach, causing data exfiltration to be much harder for an attacker.

What is MTR?
mtr combines the functionality of the ‘traceroute’ and ‘ping’ programs in a single network diagnostic tool.
As mtr starts, it investigates the network connection between the host mtr runs on and a user-specified destination host. After it determines the address of each network hop between the machines, it sends a sequence ICMP ECHO requests to each one to determine the quality of the link to each machine. As it does this, it prints running statistics about each machine.

]]>MalRecon – Basic Malware Reconnaissance and Analysis Tool.http://seclist.us/malrecon-basic-malware-reconnaissance-and-analysis-tool.html
Wed, 24 May 2017 02:39:34 +0000http://seclist.us/?p=14305MalRecon is just a simple tool used to automate some of the more mundane tasks when obtaining malware. The final action is to compress/encrypt all of the files in a 7z for portability and analysis. It is designed to work out-of-the-box with Kali Linux, but should work with most ‘nix distros with no problem.

]]>DAMM – Differential Analysis of Malware in Memory.http://seclist.us/damm-differential-analysis-of-malware-in-memory.html
Sun, 16 Apr 2017 19:59:14 +0000http://seclist.us/?p=14040DAMM is An open source memory analysis tool built on top of Volatility. It is meant as a proving ground for interesting new techniques to be made available to the community. These techniques are an attempt to speed up the investigation process through data reduction and codifying some expert knowledge.

DAMM v1.0 Beta

Features:
* ~30 Volatility plugins combined into ~20 DAMM plugins (e.g., pslist, psxview and other elements are combined into a ‘processes’ plugin)
* Can run multiple plugins in one invocation
* The option to store plugin results in SQLite databases for preservation or for “cached” analysis
* A filtering/type system that allows easily filtering on attributes like pids to see all information related to some process and exact or partial matching for strings, etc.
* The ability to show the differences between two databases of results for the same or similar machines and manipulate from the cmdline how the differencing operates
* The ability to warn on certain types of suspicious behavior
* Output for terminal, tsv or grepable

]]>pom-ng is a real time network forensic tool.http://seclist.us/pom-ng-is-a-real-time-network-forensic-tool.html
Sat, 08 Apr 2017 00:26:49 +0000http://seclist.us/?p=13974pom-ng is a network forensics tool that parses network traffic from files, network interfaces and other and allow you to get any information you wish from what is happening. It parses network traffic into events and payloads which can then be logged, saved or anything else you might imagine.

* Optional dependencies
+ libmagic Comes with the file utility on linux. This allow identification of unknown payloads.
+ libpcap Used to capture packets from live interface as well as reading and saving pcap files. A must have !
+ zlib Used to decompress payloads and packets.
+ libjpeg Used to analyze jpeg images.
+ SQLite (>= 3.x) Database backend to store configurations and other. (on debian wheezy for dev files: libsqlite3-dev)
+ libexif Used to parse exif data from jpeg images.
+ Postgresql Another database backend.

]]>FakeNet-NG – Next Generation Dynamic Network Analysis Tool.http://seclist.us/fakenet-ng-next-generation-dynamic-network-analysis-tool.html
Fri, 31 Mar 2017 09:52:10 +0000http://seclist.us/?p=13903FakeNet-NG is a next generation dynamic network analysis tool for malware analysts and penetration testers. It is open source and designed for the latest versions of Windows. FakeNet-NG is based on the excellent Fakenet tool developed by Andrew Honig and Michael Sikorski.
The tool allows you to intercept and redirect all or specific network traffic while simulating legitimate network services. Using FakeNet-NG, malware analysts can quickly identify malware’s functionality and capture network signatures. Penetration testers and bug hunters will find FakeNet-NG’s configurable interception engine and modular framework highly useful when testing application’s specific functionality and prototyping PoCs.

FakeNet-NG v1.1

The configuration file is broken up into several sections.
* [FakeNet] – Controls the behavior of the application itself. The only valid option at this point is DivertTraffic. When enabled, it instructs the tool to launch the appropriate diverter plugin and intercept traffic. If this option is disabled, FakeNet-NG will still launch listeners, but will rely on another method to direct traffic to them (e.g. manually change DNS server).
* [Diverter] – Settings for redirecting traffic. Covered in detail below.
* [Listener Name] – A collection of listener configurations. Each listener has a set of default settings (e.g. port, protocol) as well as listener specific configurations (e.g. DumpHTTPPosts for the HTTPListener).

Lynis is a security auditing for Unix derivatives like Linux, BSD, and Solaris. It performs an in-depth security scan on the system to detect software and security issues. Besides information related to security, it will also scan for general system information, vulnerable software packages, and possible configuration issues.
We believe software should be simple, updated on a regular basis and open. You should be able to trust, understand, and even alter the software. Many agree with us, as the software is being used by thousands every day to protect their systems.